Mods make games more fun, but occasionally, we get a reminder that the gaming industry is booming and remains a big target for gate-crashers and bad actors. A new vulnerability named “BleedingPipe” is causing Minecrafters to sit up and take notice. BleedingPipe enables complete remote code execution on mod game servers and the clients inhabiting the servers. It can give cybercriminals access to a victim’s device and allow them to run malicious code or plant malware via remote commands.
BleedingPipe impacts several popular Minecraft mods. It’s active in the wild, so it poses a significant threat to Minecraft server administrators and the ordinary Minecraft players on their servers.
But why do the BleedingPipe Vulnerability attack mods, what are sandbox games, and is it even safe to keep playing Minecraft?
BleedingPipe is a Remote Code Execution (RCE) vulnerability. The vulnerability lies not in Forge, but some popular mods using an unsafe deserialization code. According to the Minecraft Malware Prevention Alliance (MMPA), it’s not just a theoretical threat – there have been examples where a bad actor has exploited it in the wild. It has affected certain Minecraft mods running on versions 1.7.10 and 1.12.2 of Forge.
Mods like EnderCore, LogisticsPipes, and BDLib (which have already been fixed for the GT New Horizons versions), as well as Smart Moving 1.12, Brazier, Gadomancy, and DankNull, are known to be affected.
However, other versions of Minecraft could also be vulnerable if you’re running an affected mod.
Sandbox games allow players to create, modify, and explore a virtual world more freely than games with a progression-style environment. Some popular sandbox games include Minecraft and Grand Theft Auto Online.
Mods (modifications) are user-created tweaks or additions to a game that can be used to introduce new levels, characters, landscapes, or items. Anyone can create mods, which are often shared on servers within the gaming community for others to download and use. Minecraft modding is very popular, and many servers worldwide offer various custom world states for their fans.
However, many of these servers have been set up in a way that makes them susceptible to this new vulnerability. Attackers take over game servers to infect as many devices as possible. In a nutshell, the attackers send specially formulated network packets to vulnerable Minecraft mod servers in an attempt to take over the servers, which in turn will allow them to take over the client’s devices as well.
It may bring a tiny sigh of relief that the BleedingPipe vulnerability is based on a relatively well-known attack in the Java Community. So, even though it is being actively exploited, Java developers are well-positioned to prepare a fix.
It relies on an already well-known issue with ObjectInputStream deserialization. This type of attack is generally known as a deserialization attack (gadget chain). Mods that use ObjectInputStream (OIS) for their networking code may be affected because it allows transfers of packets that contain malicious serialization.
It’s a very serious flaw that could allow an attacker to drop and run a payload on the server, which can infect all the clients. The compromised servers act as the first link in a chain, with the next step being attacks on the players who inhabit the compromised servers.
The scale of the attack took everyone by surprise. According to the MMPA article referenced earlier, someone already scanned all Minecraft servers on the IPv4 address space, and they suspect that a malicious payload might have been deployed onto affected servers. They aren’t sure what the contents of the exploit were or if it was used to exploit the other clients on the affected servers, but they believe it to be possible.
Calls have been made for mod developers who use ObjectInputStream to immediately switch to a different, safer serializer or create their own serializers.
However, the MMPA believes the danger may persist even after the flaw is patched. They know several servers have been affected but don’t know what payload may have been dropped.
If you’re using any mods for Minecraft, you should stop and inspect the versions of the mods you’re using. If you have one of the mods known to be affected (e.g., EnderCore, LogisticsPipes, BDLib, Brazier, Smart Moving 1.12, Gadomancy, or DankNull) on Forge versions 1.7.10/1.12.2, it’s not safe. Other Forge versions may be safe unless you have an affected mod installed.
Still, all players should run a thorough antivirus scan on their PCs and use specialist tools to check their .minecraft directory for suspicious files. The MMPA recommends jSus or jNeedle. You won’t be affected if you don’t play on specialist servers.
Server administrators have been asked to take these 3 steps:
Server admins should be worried, and keep checking regularly to see if there is any suspicious activity. They should implement updates and security patches as soon as they drop to help protect players.
Players should keep their antivirus solutions up to date and do regular scans to try and spot malicious activity. Now, one knows the secret payload or when it will become active. Stay informed, keep endpoint protection software and VPNs on your private devices, and keep gaming!
Debt consolidation serves as a lifeline for individuals struggling to manage multiple debts, offering a…
Establishing a successful business requires more than just a solid business plan and adequate capital.…
Environmental sustainability is the bedrock of a healthy planet. It's about meeting our present requirements…
Signs Your Pet Needs Urgent Veterinary Care You've noticed your furry friend isn't quite themselves…
What Are Pearland Rental Home Communities? You know that feeling when you just can't find…
What Are Detox Supplements and How Do They Work? Have you ever felt like your…